Guarantees for ensure clauses with malicious participants

cocreature · June 17, 2022, 12:47pm

Usually, Daml users expect that the ensure clause holds for every active contract because it’s checked at creation time. However, because it’s only checked at creation time, I’m wondering what guarantees we get in the presence of malicious submitters. Consider this case:

Party A is hosted on participant PA, Party B is hosted on participant PB.
Party A hacks their participant to allow creation of a contract they’re the only stakeholder on which violates the ensure clause.
Now Party A submits a transaction that fetches that contract and that fetch is divulged to participant PB (because B is a witness).

Does participant PB check that the ensure clause holds as part of model conformance and reject that transaction or is it accepted?

Andreas_Lochbihler · June 17, 2022, 1:41pm

The current Canton implementation has the documented limitation that the submitting participant is honest, so this question is a bit outside of the currently provided scope. Long-term, the virtual shared ledger contains only model-conformant actions and ensures clauses are included in model conformance. So if party B is honest, it will not see a contract on the ledger that violates the ensures clause. Implementation-wise, PB will check the ensures clause.

cocreature · June 17, 2022, 1:41pm

Thank you!

Topic		Replies	Views
`Update` in `ensure` clause Questions	1	363	April 14, 2020
Multi-line commands in the ensure constraint New to Daml	1	71	January 22, 2024
CONTRACT_NOT_FOUND with Daml Script across multiple nodes Questions daml	5	129	January 16, 2024
How to check if a contract instance exists on the ledger Questions	9	708	January 11, 2021
Validity of token/ledger update - in context of not sharing backchain transaction history to recipients Questions daml , canton	3	188	September 25, 2022

Guarantees for ensure clauses with malicious participants

Related Topics